I'm not sure why this was changed from "privacy" to "security".
–
KenFeb 8 '11 at 20:52

If you enter PII in them then of course the crash could very well contain it. There's nothing preventing the programmer from accessing network or device data inside their program so you would have to have access to the source code of the app to know if any particular crash would have privacy concerns.
–
bmike♦Apr 28 '11 at 17:45

2 Answers
2

Crash logs are safe to post in public. There is no identifying information about you in them. All of the random looking text you see are addresses of the various methods that get symbolicated by Xcode into method names. This lets the developers see the exact line of code that caused the problem.

Also know, it is harder to symbolicate crash logs that have been copied and pasted. It would be more helpful for the developers to get your crash logs in the original .crash file.
It looks like this is no longer the case, I had no problem copy and pasting a crash log and symbolicating using the latest Xcode.

This isn’t correct: .crash files are just plain text files. Copied and pasted crash logs can just be saved as .crash files and viewed in the normal viewer. Not that this actually has any advantages. The only potential problem is loss of formatting when the copying and pasting removed excessive whitespace.
–
Konrad RudolphAug 5 '11 at 8:21

At least in my personal experience, I've never been able to get pasted crash logs to symbolicate in Xcode. Unless something has changed in the newer Xcode versions to allow this, it will not work. When you try to paste the contents of a crash log into a new file and save as .crash, Xcode organizer ignores it and it has to be symbolicated by hand via the command line which is frustrating.
–
einsteinx2Aug 8 '11 at 6:16

1

Not sure what you did (wrong) but .crash files are just text files. You can easily verify this.
–
Konrad RudolphAug 8 '11 at 20:39

I did another test with the latest Xcode and it did symbolicate a copy/pasted crash log. So that seems to no longer be an issue, but back when I was using Xcode 3 I swear I had trouble with any copy/pasted log. Not sure what the problem was but they didn't work for some reason.
–
einsteinx2Oct 12 '11 at 3:23

The security by obscurity (values are in hexadecimal) is pretty good and the chance of something sensitive getting exposed is very very low, but sharing a crash report publicly could be hazardous to your privacy.

I would say don't post anything until you really understand what a device GUID is and how to read a stack trace or hexadecimal characters. Also your risk is directly affected by the nature of the program. Tiny Wings knows nothing because I've told it nothing. It's also unlikely to have scanned my address book or location/contact information.

On the other side, my banking program has to store PIN numbers and things I enter clearly before it encrypts them. 1Password works with sensitive data like my social security number. Even though the program may eventually store the data encrypted - a crash report can crash at the point where the data is being turned into something you see clearly on the screen - a sequence of digits. Basically, for a fleeting moment, the data is not protected.

The general question "Is it safe to post?" has to be no without other qualifications on the data stored in the app. Especially when posting it to something so public and permanent as the internet.

hear hear, unless you actually go through all the exposed data yourself, and therefore dont need the advice, you really can have no guarantees.
–
hobsApr 28 '11 at 18:59

Are you claiming that private data (instance values) go into Stack Traces? I know the device GUID does, but what else do you claim goes into a Stack Trace that is private?
–
Jason SalazApr 29 '11 at 16:55

No - the app store rules try to prevent that sort of thing (self modifying code and all) - but nothing prevents that if the programmer wants to get creative in encoding data for remote debugging. It's very unlikely but data on the ARM registers could be private. Highly, highly unlikely - perhaps I should edit my answer to be less strong? I'd not want my aggregated crash logs or CrashReporter Key to be public record. The crash report was intentionally designed to not share private data, but programs crash when they don't behave as planned.
–
bmike♦Apr 29 '11 at 21:16